Configuring SSL for Node-to-Node Connections

Node-to-node (internode) encryption protects data in-flight between nodes in a DataStax Enterprise (DSE) cluster using SSL.

Prerequisites

Create SSL certificates, keystores, and truststores. You can either create local keystore files or use a remote keystore provider.

OpsCenter Lifecycle Manager can configure DSE clusters to use node-to-node encryption and automates the process of preparing server certificates using an internal certificate authority and deploys the resulting keystore and truststore to each node automatically.

Procedure

Edit the cassandra.yaml file. The location of this file depends on the type of installation:
- Package installations: /etc/dse/cassandra/cassandra.yaml
- Tarball installations: <installation_location>/resources/cassandra/conf/cassandra.yaml
In cassandra.yaml, make the following changes to the server_encryption_options section to enable SSL:
1. Set internode_encryption to one of the following options. This limits the traffic that is encrypted between nodes.
  - all: Encrypt all internode communications.
  - none: No encryption.
  - dc: Encrypt the traffic between the datacenters.
  - rack: Encrypt the traffic between the racks.
2. Set require_client_auth to true to require two-way host certificate validation.
3. Set require_endpoint_verification to true to verify that the connected node’s IP address matches the certificate.

Configure the keystore and truststore, depending on whether you are using local keystore files or a remote keystore provider. All settings are configured in the server_encryption_options section of cassandra.yaml.

Local files
Remote provider

Use the following settings:

server_encryption_options:
    internode_encryption: all
    keystore_type: JKS
    keystore: <path_to_keystore.jks>
    keystore_password: <keystore_password>
    require_client_auth: true
    require_endpoint_verification: true
    truststore_type: JKS
    truststore: <path_to_truststore.jks>
    truststore_password: <truststore_password>

To encrypt the truststore and keystore passwords for local encryption, see Encrypting configuration file properties. For KMIP see Encrypting configuration file properties.

Use the following settings. Unused options can be blank or commented out.

Requires installation of a provider. See Using a remote keystore provider.

server_encryption_options:
   internode_encryption: all
   keystore_type: PKCS12
   require_client_auth: true
   require_endpoint_verification: true
   truststore_type: PKCS12

internode_encryption

Encryption options for internode communication using the TLS_RSA_WITH_AES_128_CBC_SHA cipher suite for authentication, key exchange, and encryption of data transfers. If running in Federal Information Processing Standard (FIPS) 140 compliant mode, use the DHE/ECDHE ciphers, such as TLS_DHE_RSA_WITH_AES_128_CBC_SHA.

Possible values include the following:

all: Encrypt all internode communications.
none (default): No encryption.
dc: Encrypt the traffic between the datacenters.
rack: Encrypt the traffic between the racks.

keystore_type

Valid types are JKS (default), JCEKS, PKCS11, or PKCS12. For file-based keystores, use PKCS12.

DataStax supports PKCS11 as a keystore_type on nodes with cassandra or advanced workloads.

If you need to use PKCS11, you must specify the keystore_type as PKCS11 and the keystore as NONE in either server_encryption_options or client_encryption_options depending on your use case.

PKCS11 isn’t supported as a truststore_type.

keystore

Relative path from the DSE installation directory or the absolute path to the Java keystore (JKS) suitable for use with Java Secure Socket Extension (JSSE) (the Java version of the Secure Sockets Layer (SSL)) and Transport Layer Security (TLS) protocols. The keystore contains the private key used to encrypt outgoing messages.

Default: resources/dse/conf/.keystore

keystore_password

Password for the keystore. This must match the password used when generating the keystore and truststore.

Default: cassandra

require_client_auth

Whether to enable certificate authentication for node-to-node (internode) encryption.

Default: false

require_endpoint_verification

Whether to verify the connected host and the host IP address in the certificate match.

If true, then the endpoint you specify when generating the certificate key must be an IP address. Don’t specify a DNS hostname. For example:

keytool -genkeypair -keyalg RSA \
    -alias node0 \
    -keystore my_keystore.jks \
    -storepass cassandra \
    -keypass cassandra \
    -validity 730 \
    -keysize 2048 \
    -dname "CN=node0, OU=lacerda-ssl, O=Datastax, C=CC" \
    -ext "san=ip:10.101.35.236"

Default: false

truststore_type

Valid types are JKS (default), JCEKS, or PKCS12. For file-based truststores, use PKCS12.

Due to an OpenSSL issue, PKCS12 truststores generated with OpenSSL can be incompatible with DSE.

For example, a truststore generated with the following command might not work with DSE:

openssl pkcs12 -export -nokeys -out truststore.pfx -in <intermediate.chain.pem>

However, if you generate a truststore with Java’s keytool, and then convert it to PKCS12, it will work with DSE. For example:

Create the truststore with keytool:

keytool -importcert -alias <rootca> -file <rootca.pem> -keystore <truststore.jks>

Import the intermediate certificate:

keytool -importcert -alias <intermediate> -file <intermediate.pem> -keystore <truststore.jks>

Convert the JKS truststore to PKCS12:

keytool -importkeystore -srckeystore <truststore.jks> -destkeystore <truststore.pfx> -deststoretype pkcs12

truststore

Relative path from the DSE installation directory or the absolute path to the truststore containing the trusted certificate for authenticating remote servers.

Default: resources/dse/conf/.truststore

truststore_password

Password for the truststore.

Default: cassandra

Save and close the cassandra.yaml file.
Restart DSE.

Configuring SSL for Node-to-Node Connections

Prerequisites

Procedure

Was this helpful?

Give Feedback